Aaron Kerr


Does Adequately Covering your IT Audit Universe Feel Daunting? There is a Solution, Embrace the Data!

“Improve the efficiency and effectiveness of auditing through the use of data analytics”. This Internal Audit mantra feels as tired, old, and nebulous as it did when I started hearing it with consistency 10-15 years ago. This is not to say that many organizations haven’t built successful, data driven audit programs, they absolutely have. However, I still see a significant gap when it comes to using data driven auditing for the classic IT audit areas. (e.g. Information Security Governance, Access and Authentication Management, Patch Management, Vulnerability Management, Asset Management, Configuration Management).

This challenge is especially daunting for small and mid-sized organizations that do not have dedicated IT audit staff. Honestly, it becomes downright impossible to effectively cover the bevy of IT related risks in today’s landscape, even with a small IT audit staff. Let me introduce your potential solution to this IT audit conundrum: DATA ANALYTICS!

You may not be aware of the plethora of data that is available as normal output from the processes performed by your IT or Security & Compliance teams. This data is typically produced from scans performed by your technology teams to inform them of potential security concerns or operational priorities. However, with the right analytical techniques, this data can be used to effectively “audit” many of the core security and operational IT processes at your organization. Typically, a small or mid-sized organization can get sufficient IT audit coverage with one audit assessment! To ensure independence, you can also run your own scans and analyze the output.

At Clearview, we typically frame this assessment using the Center for Internet Security (CIS) Top 20 controls. Although the CIS Top 20 controls have a security focus, operational IT audit activities are inherently included (e.g. Patch Management, Configuration Management). This is where the rubber meets the road in maximizing IT audit universe coverage. (See Figure A below)

Figure A

Data driven, technical testing provides varying levels of coverage over the top 6 CIS controls. Traditional walkthroughs and limited control-based testing can provide adequate coverage over the additional 14 CIS controls.  Again, this is especially useful for small to mid-sized organizations based on the efficient, broad coverage. This approach can also create efficiency in executing the IT audit plan for organizations of any size.

Here is one final example from a client on how effectively data driven auditing worked to evaluate the patch management process: “Your testing demonstrated that patches are not being applied consistently in my environment, so why do we even need to walk through the current process? Let’s figure out what is broken and fix it!”

I agree, why not start with the data?

Contact us and let us help you get started focusing your resources for a more efficient and effective internal audit process. https://cviewllc.com

More From Aaron

More in Risk & IT Risk Advisory